Twitter whistleblower says poor cybersecurity invites breaches, manipulation

Peiter “Mudge” Zatko, Twitter’s former head of security, sent a 200-page disclosure to Congress and several regulatory agencies in July outlying the alleged problems in detail, according to reports Tuesday by CNN and the Washington Post.

Zatko said he was fired by Twitter in January after he shared his concerns internally with management, including Chief Executive Parag Agrawal, who was once the company’s chief technology officer.

The disclosure has not been made public, but Zatko made it lawfully and deserves whistleblower protections, according to Whistleblower Aid, a nonprofit group that submitted the disclosure on his behalf.

Responding to media outlets, a Twitter spokesperson said Zatko’s allegations represent “a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers, and its shareholders.”

Like with Facebook whistleblower Frances Haugen, Zatko’s allegations reveal a number of potential compliance issues within Twitter that could become teachable moments for compliance officers. Below are five.

Lax cybersecurity protocols: The meat of Zatko’s disclosure on Twitter focused on the company’s poor cybersecurity practices, which include half of its servers allegedly running on outdated software that does not support regular security features, such as encryption for stored data, or updates by vendors. The company lacks sufficient redundancy procedures to recover from data center crashes, meaning even minor outages can knock the entire service offline for hours or more, Zatko said.

Noncompliance with FTC consent order: The Federal Trade Commission (FTC) in 2010 alleged Twitter did not take adequate steps to prevent data breaches or bad actors from accessing thousands of customer accounts to send fake tweets. The two sides agreed to a consent order in 2011.

In its order, the agency required Twitter to “establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.” Zatko said the company has never complied with the order, which the company denies.

The FTC and Department of Justice (DOJ) combined to fine Twitter $150 million in May for violating the 2011 order by “misrepresenting” how it used nonpublic user information.

The FTC received a copy of Zatko’s disclosure, along with the DOJ and Securities and Exchange Commission, according to Whistleblower Aid.

How many bots are there?: Twitter is alone among social media companies in how it counts its number of users, Zatko said.

Its rivals track and report all active users, which is what Twitter also did until 2019. In that year, it switched to monetizable daily active users (MDAU), which the company says counts all users that could be shown an advertisement on the platform. All other accounts are in a separate bucket, for instance because they are known to be bots, Zatko said.

Twitter reports bots only as a percentage of MDAU, not as a percentage of the total number of accounts on the platform, which obscures the true scale of fake and spam accounts on the service, a move Zatko alleged is deliberately misleading.

The issue of how many bots are on Twitter is the central complaint made by Elon Musk as he attempts to unwind a $44 billion dollar deal to buy the company.

Unfettered employee access: Thousands of employees—roughly half the company’s workforce—have access to some of Twitter’s critical controls, Zatko said.

Worse yet, the company allegedly has little in place to track employee movement and activity within the platform. The lack of such a monitoring system leaves it potentially unable to hold employees accountable for lapses or errors in judgment that lead to data breaches or more nefarious activities, like launching misinformation campaigns on behalf of a particular group or foreign government.

Spies among us?: The U.S. government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees, perhaps more, were working for another government’s intelligence service, CNN reported. Zatko’s disclosure does not say whether Twitter was already aware or if it subsequently acted on the tip.

A former Twitter manager, Ahmad Abouammo, was found guilty earlier this month in U.S. District Court for the Northern District of California of spying for Saudi Arabia and unlawfully sharing user information.

The fact Twitter does not have an adequate employee monitoring system leaves it more vulnerable to these types of threats, Zatko said.